Exploiting Eye Tracking for Smartphone Authentication

  • Dachuan Liu
  • Bo Dong
  • Xing Gao
  • Haining Wang
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9092)


Traditional user authentication methods using passcode or finger movement on smartphones are vulnerable to shoulder surfing attack, smudge attack, and keylogger attack. These attacks are able to infer a passcode based on the information collection of user’s finger movement or tapping input. As an alternative user authentication approach, eye tracking can reduce the risk of suffering those attacks effectively because no hand input is required. However, most existing eye tracking techniques are designed for large screen devices. Many of them depend on special hardware like high resolution eye tracker and special process like calibration, which are not readily available for smartphone users. In this paper, we propose a new eye tracking method for user authentication on a smartphone. It utilizes the smartphone’s front camera to capture a user’s eye movement trajectories which are used as the input of user authentication. No special hardware or calibration process is needed. We develop a prototype and evaluate its effectiveness on an Android smartphone. We recruit a group of volunteers to participate in the user study. Our evaluation results show that the proposed eye tracking technique achieves very high accuracy in user authentication.


Authentication Eye tracking Privacy protection Smartphone 


  1. 1.
  2. 2.
    Aviv, A.J., Gibson, K., Mossop, E., Blaze, M., Smith, J.M.: Smudge attacks on smartphone touch screens. In: WOOT 2010, pp. 1–7. USENIX Association (2010)Google Scholar
  3. 3.
    Bednarik, R., Kinnunen, T., Mihaila, A., Fränti, P.: Eye-movements as a biometric. In: Kalviainen, H., Parkkinen, J., Kaarna, A. (eds.) SCIA 2005. LNCS, vol. 3540, pp. 780–789. Springer, Heidelberg (2005) CrossRefGoogle Scholar
  4. 4.
    Berger, Y., Wool, A., Yeredor, A.: Dictionary attacks using keyboard acoustic emanations. In: ACM CCS 2006, pp. 245–254. ACM (2006)Google Scholar
  5. 5.
    Cai, L., Chen, H.: Touchlogger: Inferring keystrokes on touch screen from smartphone motion. In: Hot Topics in Security HotSec (2011)Google Scholar
  6. 6.
    Clarke, N.L., Furnell, S.M.: Authenticating mobile phone users using keystroke analysis. Int. J. Inf. Secur. 6(1), 1–14 (2006)CrossRefGoogle Scholar
  7. 7.
    De Luca, A., Denzel, M., Hussmann, H.: Look into my eyes!: can you guess my password?. In: SOUPS 2009, pp. 7:1–7:12. ACM (2009)Google Scholar
  8. 8.
    De Luca, A., Hang, A., Brudy, F., Lindner, C., Hussmann, H.: Touch me once and I know it’s you!: implicit authentication based on touch screen patterns. In: CHI 2012, pp. 987–996. ACM (2012)Google Scholar
  9. 9.
    De Luca, A., Weiss, R., Drewes, H.: Evaluation of eye-gaze interaction methods for security enhanced pin-entry. In: OZCHI 2007, pp. 199–202. ACM (2007)Google Scholar
  10. 10.
    De Luca, A., Weiss, R., Humann, H., An, X.: Eyepass-eye-stroke authentication for public terminals. In: Czerwinski, M., Lund, A.M., Tan, D.S. (eds.) CHI Extended Abstracts, pp. 3003–3008. ACM (2008)Google Scholar
  11. 11.
    Drewes, H., De Luca, A., Schmidt, A.: Eye-gaze interaction for mobile phones. In: Mobility 2007, pp. 364–371. ACM (2007)Google Scholar
  12. 12.
    Holland, C., Komogortsev, O.V.: Biometric verification via complex eye movements: the effects of environment and stimulus. In: Biometrics: Theory, Applications and Systems (BTAS), pp. 39–46, September 2012Google Scholar
  13. 13.
    Holland, C.D., Komogortsev, O.V.: Complex eye movement pattern biometrics: analyzing fixations and saccades. In: Proceedings of IAPR ICB (2013)Google Scholar
  14. 14.
    Komogortsev, O.V., Karpov, A., Holland, C.D.: Cue: counterfeit-resistant usable eye movement-based authentication via oculomotor plant characteristics and complex eye movement patterns, vol. 8371, pp. 83711X–83711X-9 (2012)Google Scholar
  15. 15.
    Kumar, M., Garfinkel, T., Boneh, D., Winograd, T.: Reducing shoulder-surfing by using gaze-based password entry. In: SOUPS 2007, pp. 13–19. ACM (2007)Google Scholar
  16. 16.
    Li, L., Zhao, X., Xue, G.: Unobservable re-authentication for smartphones. The Internet Society. In: NDSS (2013)Google Scholar
  17. 17.
    Matsumoto, T., Matsumoto, H., Yamada, K., Hoshino, S.: Impact of artificial “gummy” fingers on fingerprint systems, vol. 4677, pp. 275–289 (2002)Google Scholar
  18. 18.
    Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: MobiSys 2012, pp. 323–336. ACM (2012)Google Scholar
  19. 19.
    Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. In: HotMobile 2012, pp. 9:1–9:6. ACM (2012)Google Scholar
  20. 20.
    Serwadda, A., Phoha, V.V.: When kids’ toys breach mobile phone security. In: ACM CCS 2013, pp. 599–610. ACM (2013)Google Scholar
  21. 21.
    Shahzad, M., Liu, A.X., Samuel, A.: Secure unlocking of mobile touch screen devices by simple gestures: you can see it but you can not do it. In: MobiCom 2013, pp. 39–50. ACM (2013)Google Scholar
  22. 22.
    Vaitukaitis, V., Bulling, A.: Eye gesture recognition on portable devices. In: UbiComp 2012, pp. 711–714. ACM (2012)Google Scholar
  23. 23.
    Vidal, M., Bulling, A., Gellersen, H.: Detection of smooth pursuits using eye movement shape features. In: ETRA, pp. 177–180. ACM (2012)Google Scholar
  24. 24.
    Vidal, M., Bulling, A., Gellersen, H.: Pursuits: spontaneous interaction with displays based on smooth pursuit eye movement and moving targets. In: UbiComp 2013, pp. 439–448. ACM (2013)Google Scholar
  25. 25.
    Xu, Y., Heinly, J., White, A.M., Monrose, F., Frahm, J.: Seeing double: reconstructing obscured typed input from repeated compromising reflections. In: ACM CCS 2013, pp. 1063–1074. ACM (2013)Google Scholar
  26. 26.
    Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: WISEC 2012, pp. 113–124. ACM (2012)Google Scholar
  27. 27.
    Zahid, S., Shahzad, M., Khayam, S.A., Farooq, M.: Keystroke-based user identification on smart phones. In: Kirda, E., Jha, S., Balzarotti, D. (eds.) RAID 2009. LNCS, vol. 5758, pp. 224–243. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  28. 28.
    Zheng, N., Bai, K., Huang, H., Wang, H.: You are how you touch: User verification on smartphones via tapping behaviors. In: IEEE ICNP (2014)Google Scholar
  29. 29.
    Zhuang, L., Zhou, F., Tygar, J.D.: Keyboard acoustic emanations revisited. ACM Trans. Inf. Syst. Secur. 13(1), 3:1–3:26 (2009)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Dachuan Liu
    • 1
    • 2
  • Bo Dong
    • 2
  • Xing Gao
    • 1
    • 2
  • Haining Wang
    • 1
  1. 1.University of DelawareNewarkUSA
  2. 2.College of William and MaryWilliamsburgUSA

Personalised recommendations